Categories

Profiling Autonomous Systems Hosting Blacklisted Websites

An Autonomous Systems or AS is a routing construct that represents a group of networks under the control of an organization (credit for edit :Max@badwarebusters.org). These form the “structure” of the Internet. These organizations can be thought of as web-hosting companies, large Internet-based companies or resellers of bandwidth and IP addresses. These are usually large organizations for whom simply getting an Internet connection and hosting a company for their website is not enough.

In recent months, the trend of benign websites being affected by code injection clearly show that attacks to inject malware into unsuspecting websites is on the rise. It is important to understand the profile of the ASes which are actually providing transit to infected websites hosted within their systems. Since each AS provides bandwidth and resources supporting the downloading of malware to computers which belong to unsuspecting visitors of a compromised website. ASes, more specifically hosting companies and other network operators (rather than ASes) should play a pivotal role in addressing compromised websites.

At StopTheHacker.com, we have conducted extensive experiments to analyze and profile over 20,000 ASes to identify which ASes are the worst offenders in terms of hosting Blacklisted websites. We have used Google safebrowsing data, also accessible via StopBadware.org, (which sources data from Google and Sunbelt)to identify and trend which ASes are responsible for the proliferation of badware on the Internet. We have correlated AS size with data available from CAIDA to determine whether larger ASes are more at fault or not.

We present some brief results below:

The average percentage of blacklisted websites in

Top 10 ASes (according to number of sites noted by Google) is 3.5%

ASes with Ranks 11-23 (according to number of sites noted by Google) is 3.75%

ASes with Ranks 24-40 (according to number of sites noted by Google) is 5.01%

The AS with the highest percentage of blacklisted sites, is AS 16557 (Colo Solutions, Inc.), with close to 60% of 10,000 sites blacklisted.

The Top 50 ASes, which host more than 10,000 sites each and have at least 6% of websites blacklisted, host 151,000 blacklisted sites, combined.

Interesting observations:

AS 16557 (Colo Solutions, Inc.), is well known for popping up on blacklists related to peer-to-peer networks [Is someone tracking P2P users]. It seems that this AS, which is not really concerned about P2P traffic emanating from within its systems, traffic which is potentially used to exchange copyrighted material, is also not interested in paying attention to malware infected websites hosted within its networks.

AS 15169 (Google Inc.), had 590734 sites analyzed and 6046 of them were found to contain malware.

AS 14173 (Photobucket), had zero sites infected out of 399424 sites analyzed.

The Largest AS (Level 3 Communications) according to connection degree, see CAIDA’s AS listing, was hosting 571 infected sites out of 136305 sites analyzed by Google.

AS 7018 (AT&T), was hosting 97 infected sites out of 7947 sites analyzed by Google.

AS 701 (Verizon), was hosting 117 infected sites out of 7248 sites analyzed by Google.

AS 1239 (Sprint), was hosting 117 infected sites out of 3958 sites analyzed by Google.

Making Sense of the Results

Below we present some graphs to highlight the percentage of blacklisted websites hosted by the top few ASes. Note that all AS rankings below are based on the number of websites analyzed by Google. An AS with rank 1 hosts more websites, analyzed by Google than an AS with rank 2.

Nearly 50 ASes host at least 600 blacklisted sites each

Top 10 ASes host lage percentages of blacklisted sites

ASes hosting more than 10,000 sites (each having more than 6% infected sites)

Below follows the list of ASes, which host more than 10,000 sites each. Of those, at least 6% (600) are blacklisted by Google. Perhaps more attention needs to be focused on fighting malware from within these ASes. There are quite a few prominent web-hosting companies in this list. Note that all ASes below are ranked based on the number of websites analyzed by Google. An AS which appears earlier in the list hosts more websites, analyzed by Google than an AS which appears later on in the list.

How long does it take for a malware-infested site to get removed from the blacklists you specify? What exactly are your methods for compiling the list?

I work for one of the companies in the top 10 in your list and it’s simply a lie to say that more than more than 6% of the sites on our network host malware. We have an excellent security team and we typically delete malware or suspend malware-hosting accounts within hours of notice.

Posted by Anon on February 17th

A site can be removed from Google’s blacklist in anywhere between 10 minutes and a few hours (depending on the load they are facing). However, some sites remain blacklisted for weeks because they do not clean up their act before requesting multiple re-scans.

You may have an excellent security team but sites you host are still being compromised. your comment implies that. It is good to know that your team is responsive.

If you would like a re-examination of your IP ranges/ASN please contact us and we will re-run our tests to give you a better idea of whats going on.

We at stopthehacker.com do not blacklist your sites or anyone’s site for that matter (at least not to date). The blacklist information is available, publicly, using Google’s Safe Browsing data.